Generic PKCS#11 HSM Provider
PrivX can be configured at install time to use a generic PKCS#11 HSM. You can use this for testing PrivX with HSMs that are not explicitly supported.
SSH does not provide support for the generic PKCS#11 HSM configuration option. Using it in production deployments is not recommended.
The following configuration options are prompted when configuring PrivX to use the
- PKCS#11 provider library path
- Optional feature flags:
aes-gcm-zero-iv: Supply all-zeros IV for AES-GCM encrypt and let HSM generate the IV
aes-gcm-luna-random-iv: Supply zero length IV for AES-GCM encrypt and let HSM generate the IV (used with Safenet Luna)
aes-gcm-padding: Pad input to AES-GCM encrypt using the PKCS#7 padding method
sym-key-size-in-bits: HSM reports symmetric key size in bits
fips-mode: Disable functionality that is not supported when HSM is in FIPS mode
serialize-ops: Serialize all PKCS#11 provider library calls
disable-object-cache: Disable internal object handle caching
vormetric-mode: Enable Thales Vormetric DSM specific functionality
ncipher-mode: Enable nCipher HSM specific functionality
- Keyvault symmetric-encryption algorithm:
AES128withGCM: AES-GCM with 128 bit key size
AES256withGCM: AES-GCM with 256 bit key size
AES128withGCMPkcs7Pad: AES-GCM with 128 bit key size using PKCS#7 padding for plaintext
AES256withGCMPkcs7Pad: AES-GCM with 256 bit key size using PKCS#7 padding for plaintext
Was this page helpful?